Hi readers ( ??? )/
Threat intelligence is one of the powerful arsenals that an organization can have to deter Advance Persistence Threats (APT). Threat intelligence contains information for us to understand more about threats actors, malicious software and vulnerabilities. Examples of threat intelligence data are malicious IPs, hashes of malicious files and tools used by threat actors. Analyzing these data will put perspective into context and provide information on threats that are more relevant to the organization. This information is needed to produce a mitigation plan to the ongoing or impending threats. But the big question for today is, how do we collect and store Threat Intelligence data? Today, my sharing will cover the first step of the journey in harnessing Threat Intelligence and share some knowledge on building your own Threat Intelligence Platform (TIP) with the audience.
So, get your laptops or PC ready and start following the instructions provided.
- First and foremost, you will need a device to build the platform on. Next is to download and install the open-source software. For beginners that are only starting to get their feet warm, using your laptop or PC is recommended. Advanced-level users that have access to cloud technology or have their hosting server might consider building up their platform using those infrastructures.
-
Next is to install Docker which is a virtualization technology called containers, on your host machine or virtual machine from https://docs.docker.com/get-docker/ and follow the respective guide depending on the operating system. You also need to install docker-compose by following the installation guide from https://docs.docker.com/compose/. After that, you will need to download the Malware Information Sharing Platform (MISP) project maintained by Jason Kendall (Coolacid) at https://github.com/coolacid/docker-misp. MISP is an open-source threat intelligence platform developed for the community to share threat indicators of compromise and you can get further information from https://www.misp-project.org/.
cd <directory of the downloaded project file>
"ls <directory of the project>" or "dir <directory of the project>” for Windows users
- Use the command above to confirm that you are now in the right working directory and able to view the docker-compose.yml file.
docker-compose up -d
docker container ls
Figure 1: MISP login page
- Figure 1 shows the MISP login page. To get to the MISP login page, open up your browser and navigate to https://localhost
- For advanced level users you can configure the "HOSTNAME=https://<hostname>" variable in the docker-compose.yml file and edit your device hosts file accordingly for localhost.
Username: [email protected]
Password: admin
- Above is the default credential for MISP. You need to change the password to an alpha-numeric password after your first login.
Figure 2: MISP home page
- If you are greeted by the MISP dashboard as shown in Figure 2, congratulations! You can now start using MISP and explore the functionalities available.
There are more to cover on this topic but for now, I leave you guys to familiarize yourself with the TIP. Have fun exploring this amazing tool, stay in tune for more sharing on the configuration and in-depth discussion on this topic.
Stay safe. Goodbye for now.
Credits: MISP and Jason Kendall (Coolacid)